Topic
This article explains the purpose of the permissions requested by NinjaOne for the Microsoft Intune integration.
Environment
- NinjaOne Integrations
- Microsoft Intune
Description
The following table describes the graph permissions requested by NinjaOne.
All permissions required administrator consent, except for the User.Read permission. For examples about when you'd use each of these permissions in a business scenario, refer to the Permission Use Cases section of this article.
| Permission ID | Permission Name | Permission Display Text | Description |
|---|---|---|---|
| e1fe6dd8-ba31-4d61-89e7-88639da4683d | User.Read | Read user's full profile | Read the full profile of the signed-in user. It also allows the app to read the full profiles of other users in the organization if the signed-in user is an admin. |
| 7438b122-aefc-4978-80ed-43db9fcc7715 | Device.Read.All | Read all devices | Read all device properties without a signed-in user. |
| 9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30 | Application.Read.All | Read all applications | Read all applications and service principals without a signed-in user. |
| df021288-bdef-4463-88db-98f22de89214 | User.Read.All | Read all users' full profiles | Read the full profiles of all users in your organization, including names, titles, photos, and other directly identifying information. |
| 7ab1d382-f21e-4acd-a863-ba3e13f7da61 | Directory.Read.All | Read directory data | Read data in your organization's directory, such as users, groups, and devices, without a signed-in user. |
| 5b567255-7703-4780-807c-7be8301ae99b | Group.Read.All | Read all groups | Read all groups in the directory. |
| 498476ce-e0fe-48b0-b801-37ba7e2685c6 | Organization.Read.All | Read organization properties | Read the properties of your organization. |
| 246dd0d5-5bd0-4def-940b-0421030a5b68 | Policy.Read.All | Read all policies | Read your organization's policies without a signed-in user. |
| c74fd47d-ed3c-45c3-9a9e-b8676de685d2 | EntitlementManagement.Read.All | Read entitlement management data | Read entitlement management data, such as access packages, catalogs, and assignments, without a signed-in user. |
| ServicePrincipal.Read.All | ServicePrincipal.Read.All | Read all service principals | Read all service principals without a signed-in user. |
| 1138cb37-bd11-4084-a2b7-9f71582aeddb | Device.ReadWrite.All | Read and write devices | Read and write all device properties without a signed-in user. |
| dc149144-f292-421e-b185-5953f2e98d7f | AppCatalog.ReadWrite.All | Read and write to all app catalogs | Create, read, update, and delete apps in the app catalogs without a signed-in user. |
| 3be0012a-cc4e-426b-895b-f9c836bf6381 | Application-Remote DesktopConfig.ReadWrite.All | Read and write the remote desktop security configuration for all apps | Read and write the remote desktop security configuration for all apps in your organization, without a signed-in user. |
| 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9 | Application.ReadWrite.All | Read and write all applications | Create, read, update and delete applications and service principals without a signed-in user. Does not allow management of consent grants. |
| 06b708a9-e830-4db3-a914-8e69da51d44f | AppRoleAssignment.ReadWrite.All | Manage app permission grants and app role assignments | Manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user. |
| b0afded3-3588-46d8-8b3d-9842eff778da | AuditLog.Read.All | Read all audit log data | Read and query your audit log activities, without a signed-in user. |
| 5e1e9171-754d-478c-812c-f1755a9a4c2d | AuditLogsQuery.Read.All | Read audit logs data from all services | Read and query audit logs from all services. |
| 57f1cf28-c0c4-4ec3-9a30-19a2eaaf2f6e | BitlockerKey.Read.All | Read all BitLocker keys | Read BitLocker keys for all devices, without a signed-in user. Allows read of the recovery key. |
| 3b4349e1-8cf5-45a3-95b7-69d1751d3e6a | CloudPC.ReadWrite.All | Read and write Cloud PCs | Read and write the properties of Cloud PCs, without a signed-in user. |
| 2f503208-e509-4e39-974c-8cc16e5785c9 | CustomTags.ReadWrite.All | Read and write custom tags data | Read and write custom tags data, without a signed-in user |
| cc13eba4-8cd8-44c6-b4d4-f93237adce58 | DelegatedAdmin Relationship.ReadWrite.All | Manage Delegated Admin relationships with customers | Manage (create-update-terminate) Delegated Admin relationships with customers and role assignments to security groups for active Delegated Admin relationships without a signed-in user. |
| 8e8e4742-1d95-4f68-9d56-6ee75648c72a | Delegated Permission Grant.ReadWrite.All | Manage all delegated permission grants | Manage permission grants for delegated permissions exposed by any API (including Microsoft Graph), without a signed-in user. |
| 1138cb37-bd11-4084-a2b7-9f71582aeddb | Device.ReadWrite.All | Read and write devices | Read and write all device properties without a signed-in user. It does not allow device creation, device deletion, or update of device alternative security identifiers. |
| 884b599e-4d48-43a5-ba94-15c414d00588 | DeviceLocalCredential.Read.All | Read device local credential passwords | Read device local credential properties including passwords, without a signed-in user. |
| 78145de6-330d-4800-a6ce-494ff2d33d07 | Device ManagementApps.ReadWrite.All | Read and write Microsoft Intune apps | Read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user. |
| f15eb2ba-ef8a-4f70-991d-da5d045154e2 | Device ManagementCloudCA.ReadWrite.All | Read and write Microsoft Cloud PKI objects | Read and write certification authority information without a signed-in user. |
| 9241abd9-d0e6-425a-bd4f-47ba86e767a4 | Device Management Configuration.ReadWrite.All | Read and write Microsoft Intune device configuration and policies | Read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user. |
| 5b07b0dd-2377-4e44-a38d-703f09a0dc3c | Device Management Managed Devices. Privileged Operations.All | Perform user-impacting remote actions on Microsoft Intune devices | Perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune, without a signed-in user. |
| 243333ab-4d21-40cb-a475-36241daa0842 | Device Management Managed Devices.ReadWrite.All | Read and write Microsoft Intune devices | Read and write the properties of devices managed by Microsoft Intune, without a signed-in user. Does not allow high impact operations such as remote wipe and password reset on the device's owner. |
| e330c4f0-4170-414e-a55a-2f022ec2b57b | DeviceManagementRBAC.ReadWrite.All | Read and write Microsoft Intune RBAC settings | Read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user. |
| 9255e99d-faf5-445e-bbf7-cb71482737c4 | DeviceManagementScripts.ReadWrite.All | Read and write Microsoft Intune Scripts | Read and write Microsoft Intune device compliance scripts, device management scripts, device shell scripts, device custom attribute shell scripts and device health scripts, without a signed-in user. |
| 5ac13192-7ace-4fcf-b828-1a26f28068ee | DeviceManagementServiceConfig.ReadWrite.All | Read and write Microsoft Intune configuration | Read and write Microsoft Intune service properties including device enrollment and third party service connection configuration, without a signed-in user. |
| abf6441f-0772-4932-96e7-0191478dd73a | DeviceTemplate.Create | Create device template | Create device templates. The app is marked as owner of the created device template. As a member of owners, the app will be allowed to manage devices created from the template. |
| 9fadb66e-6421-4744-aede-4ab6fb98a884 | DeviceTemplate.ReadWrite.All | Read and write all device templates | Create, read, update and delete any device template, without a signed-in user. It also allows the app to add or remove owners on any device template. |
| 19dbc75e-c2e2-444c-a770-ec69d8559fc7 | Directory.ReadWrite.All | Read and write directory data | Read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion. |
| 7e05723c-0bb0-42da-be95-ae9f08a6e53c | Domain.ReadWrite.All | Read and write domains | Read and write all domain properties without a signed in user. Also allows the app to add, verify and remove domains. |
| bf7b1a76-6e77-406b-b258-bf5c7720e98f | Group.Create | Create groups | Create groups without a signed-in user. |
| 62a82d76-70ea-41e2-9197-370581804d09 | Group.ReadWrite.All | Read and write all groups | Create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. All of these operations can be performed by the app without a signed-in user. |
| dbaae8cf-10b5-4b86-a4a1-f871c94c6695 | GroupMember.ReadWrite.All | Read and write all group memberships | List groups, read basic properties, read and update the membership of the groups this app has access to without a signed-in user. Group properties and owners cannot be updated and groups cannot be deleted. |
| 5facf0c1-8979-4e95-abcf-ff3d079771c0 | LicenseAssignment.ReadWrite.All | Manage all license assignments | Manage license assignments for users and groups, without a signed-in user. |
| 920def01-ca61-4d2d-b3df-105b46046a70 | MultiTenantOrganization.ReadWrite.All | Read and write all multi-tenant organization details and tenants | Read and write all multi-tenant organization details and tenants, without a signed-in user. |
| 292d869f-3427-49a8-9dab-8c70152b74e9 | Organization.ReadWrite.All | Read and write organization information | Read and write the organization and related resources, without a signed-in user. Related resources include things like subscribed skus and tenant branding information. |
| 2d510721-5c4e-43cd-bfdb-ac0f8819fb92 | PlaceDevice.ReadWrite.All | Read and write all workplace devices | Read and write all workplace devices, without a signed-in user. |
| 246dd0d5-5bd0-4def-940b-0421030a5b68 | Policy.Read.All | Read your organization's policies | Read all your organization's policies without a signed in user. |
| 01c0a623-fc9b-48e9-b794-0756f8e8f067 | Policy.ReadWrite.ConditionalAccess | Read and write your organization's conditional access policies | Read and write your organization's conditional access policies, without a signed-in user. |
| 230fb2d5-aa21-49c1-bfa7-ae1be179d867 | Policy.ReadWrite.DeviceConfiguration | Read and write your organization's device configuration policies | Read and write your organization's device configuration policies without a signed-in user. For example, device registration policy can limit initial provisioning controls using quota restrictions, additional authentication and authorization checks. |
| 2044e4f1-e56c-435b-925c-44cd8f6ba89a | Policy.ReadWrite.FeatureRollout | Read and write feature rollout policies | Read and write feature rollout policies without a signed-in user. Includes abilities to assign and remove users and groups to rollout of a specific feature. |
| a402ca1c-2696-4531-972d-6e5ee4aa11ea | Policy.ReadWrite.PermissionGrant | Manage consent and permission grant policies | Manage policies related to consent and permission grants for applications, without a signed-in user. |
| 1c6e93a6-28e2-4cbb-9f64-1a46a821124d | Policy.ReadWrite.SecurityDefaults | Read and write your organization's security defaults policy | Read and write your organization's security defaults policy, without a signed-in user. |
| 274d0592-d1b6-44bd-af1d-26d259bcb43a | RoleManagement.ReadWrite.CloudPC | Read and write all Cloud PC RBAC settings | Read and manage the Cloud PC role-based access control (RBAC) settings, without a signed-in user. This includes reading and managing Cloud PC role definitions and memberships. |
| 31e08e0a-d3f7-4ca2-ac39-7343fb83e8ad | RoleManagementPolicy.ReadWrite.Directory | Read, update, and delete all policies for privileged role assignments of your company's directory | Read, update, and delete policies for privileged role-based access control (RBAC) assignments of your company's directory, without a signed-in user. |
| 79c02f5b-bd4f-4713-bc2c-a8a4a66e127b | TeamworkDevice.ReadWrite.All | Read and write Teams devices | Read and write the management data for Teams devices, without a signed-in user. |
| a3371ca5-911d-46d6-901c-42c8c7a937d8 | TeamworkTag.ReadWrite.All | Read and write tags in Teams | Read and write tags in Teams without a signed-in user. |
Permission Use Cases
The following table explains the permissions use cases.
| Permission Name | NinjaOne Use Case |
|---|---|
| User.Read | Confirm the identity of the administrator who is authorizing and setting up the NinjaOne integration. |
| Device.Read.All | Discover and import all Microsoft Intune-managed devices into the NinjaOne console for unified asset inventory and management. |
| Application.Read.All | Verify the installation status and version of the NinjaOne–Microsoft Intune application to ensure the integration is healthy and up to date. |
| User.Read.All | Sync user details from Entra ID to NinjaOne, enriching device asset information by associating devices with their assigned users. |
| Directory.Read.All | Read directory objects (users, groups, devices) and their relationships, enabling advanced filtering and targeting for policy deployment and reporting. |
| Group.Read.All | Read Entra ID group memberships, allowing for targeted agent deployment and policy assignment based on existing user or device groups. |
| Organization.Read.All | Retrieve key details about the connected Microsoft tenant, such as the organization name, for display and identification within the NinjaOne console. |
| Policy.Read.All | Read organizational policies (compliance, conditional access) to identify managed versus unmanaged devices and inform device synchronization rules. |
| EntitlementManagement.Read.All | Read access package assignments, helping to determine device context and user roles for more intelligent asset management and synchronization. |
| ServicePrincipal.Read.All | Identify the NinjaOne service principal during integration setup, particularly for configuring permissions under the GDAP (Granular Delegated Admin Privileges) model for MSPs. |
| Device.ReadWrite.All | Update Microsoft Intune device properties, such as writing back asset information or setting extension attributes used for Conditional Access policies. |
| AppCatalog.ReadWrite.All | Manage and deploy the NinjaOne agent application within the Microsoft Intune Company Portal app catalog. |
| Application-Remote DesktopConfig.ReadWrite.All | Configure or remediate remote desktop security settings on managed devices directly from NinjaOne, ensuring secure remote access. |
| Application.ReadWrite.All | Create and manage the NinjaOne application registration within Entra ID, which is essential for deploying the agent and enabling the integration. |
| AppRoleAssignment.ReadWrite.All | Programmatically assign the necessary API permissions to the NinjaOne application, automating and simplifying the integration setup process. |
| AuditLog.Read.All | Monitor and collect audit logs related to device and user activities for security, compliance reporting, and troubleshooting integration issues. |
| AuditLogsQuery.Read.All | Collect comprehensive audit data from various Microsoft services for a holistic view of IT operations affecting assets. |
| BitlockerKey.Read.All | Retrieve BitLocker recovery keys for managed devices, enabling data recovery and security compliance verification. |
| CloudPC.ReadWrite.All | Discover, inventory, and manage Windows 365 Cloud PCs, allowing them to be treated as standard assets within the NinjaOne console. |
| CustomTags.ReadWrite.All | Apply and manage custom security attributes (tags) on directory objects, enabling advanced asset classification and policy targeting. |
| DelegatedAdmin Relationship.ReadWrite.All | Establish and manage GDAP relationships, enabling MSPs to securely manage their clients' tenants through NinjaOne. |
| Delegated Permission Grant.ReadWrite.All | Manage the specific permission sets granted through GDAP, ensuring NinjaOne has the precise level of access required to operate within a customer tenant. |
| Device.ReadWrite.All | Retrieve local administrator passwords (LAPs) for managed devices, enabling technicians to perform administrative tasks securely. |
| DeviceLocalCredential.Read.All | Manage the NinjaOne agent as an application within Microsoft Intune, including its deployment, configuration, and removal. |
| Device ManagementApps.ReadWrite.All | Manage Microsoft Cloud PKI certificates on devices, ensuring secure communication for the NinjaOne agent and other services. |
| Device ManagementCloudCA.ReadWrite.All | Apply or modify Microsoft Intune device configuration and compliance policies to ensure devices are properly managed and secured by NinjaOne. |
| Device Management Configuration.ReadWrite.All | Enable remote actions (device wipe, restart) from NinjaOne on Microsoft Intune-managed devices for immediate support or security remediation. |
| Device Management Managed Devices.PrivilegedOperations.All | Read and update the properties of devices enrolled in Microsoft Intune, keeping the asset inventory in NinjaOne synchronized. |
| Device Management Managed Devices.ReadWrite.All | Configure Microsoft Intune Role-Based Access Control (RBAC) settings, ensuring the NinjaOne service principal has the appropriate roles to perform its management functions. |
| DeviceManagementRBAC.ReadWrite.All | Deploy and manage custom scripts on Microsoft Intune devices for extended asset discovery, automated remediation, or advanced agent management. |
| DeviceManagementScripts.ReadWrite.All | Configure core Microsoft Intune settings, such as enabling the service connector required for the NinjaOne integration to function correctly. |
| DeviceManagementServiceConfig.ReadWrite.All | Create standardized Microsoft Intune device templates for future support of diverse device types (beyond Win32 apps) for agent deployment. |
| DeviceTemplate.Create | Fully manage Microsoft Intune device templates, enabling consistent and scalable provisioning of new devices that will be managed by NinjaOne. |
| DeviceTemplate.ReadWrite.All | Perform "writeback" operations from NinjaOne to Entra ID, such as updating user or group properties based on actions taken within NinjaOne. |
| Directory.ReadWrite.All | Read and manage domain information within the tenant, preparing for future capabilities like syncing new user accounts from specific domains. |
| Domain.ReadWrite.All | Create new Entra ID groups from NinjaOne, for dynamically grouping devices that meet certain criteria ("Missing Critical Patches"). |
| Group.Create | Create, manage, and read all group data, essential for organizing and targeting devices and users within NinjaOne. |
| Group.ReadWrite.All | Manage group memberships to ensure correct targeting for agent deployments and policy applications. |
| GroupMember.ReadWrite.All | Read user license assignments for Microsoft products, providing data for future IT Asset Management (ITAM) and license compliance features. |
| LicenseAssignment.ReadWrite.All | Manage settings in a multi-tenant environment, which is fundamental for MSPs using GDAP to connect to and manage multiple customer tenants. |
| MultiTenantOrganization.ReadWrite.All | Update organizational details, such as branding information or technical contacts, ensuring consistency between the tenant and NinjaOne settings. |
| Organization.ReadWrite.All | Discover and manage workplace-joined (non-Microsoft Intune enrolled) devices, expanding asset inventory to include a wider range of company hardware. |
| PlaceDevice.ReadWrite.All | Manage conditional access policies to ensure secure agent communication and proper resource access for managed devices. |
| Policy.Read.All | Administer device configuration policies directly from NinjaOne, enabling fine-grained control over managed assets. |
| Policy.ReadWrite.ConditionalAccess | Control the rollout of Microsoft features (Windows updates) to specific user or device groups managed by NinjaOne. |
| Policy.ReadWrite.DeviceConfiguration | Manage application consent policies, ensuring that the NinjaOne integration has the necessary, admin-approved permissions to operate. |
| Policy.ReadWrite.FeatureRollout | Read and configure fundamental security policies affecting all users and devices to maintain a strong security posture. |
| Policy.ReadWrite.PermissionGrant | Manage role-based access control for Cloud PCs, enabling proper delegation of management tasks from within the NinjaOne platform. |
| Policy.ReadWrite.SecurityDefaults | Manage privileged access policies within the directory, which is crucial for maintaining security and compliance across the IT environment. |
| RoleManagement.ReadWrite.CloudPC | Discover and manage Microsoft Teams-specific hardware (Teams Rooms devices, phones) as part of the overall asset inventory. |
| RoleManagementPolicy.ReadWrite.Directory | Manage tags in Microsoft Teams, for automating notifications to specific tagged groups or channels about IT asset events. |
| TeamworkDevice.ReadWrite.All | Confirm the identity of the administrator who is authorizing and setting up the NinjaOne integration. |
| TeamworkTag.ReadWrite.All | Discover and import all Microsoft Intune-managed devices into the NinjaOne console for unified asset inventory and management. |
Additional Resources
To learn more about the Microsoft Intune integration, refer to Getting Started with the Microsoft Intune Integration in NinjaOne.